aixyz-on-openclaw

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The guide shows embedding API keys (OPENAI_API_KEY=sk-...) in files/examples and explicitly endorses passing a wallet private key via a CLI flag (--private-key) and notes the CLI will display private keys, which requires handling/outputting secrets verbatim and is high-risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly instructs users to create and fund crypto wallets, to provide private keys, and to perform on-chain actions (ERC-8004 register) via the aixyz CLI (including a --broadcast flag). It also configures the agent to accept x402 crypto micropayments and to set a payTo wallet address so funds flow directly to that wallet. These are concrete crypto/blockchain payment and transaction capabilities (wallet management, signing/broadcasting transactions, receiving payments), which fit the "Direct Financial Execution" criteria.